1. Field of the Invention
The present invention generally relates to data processing and more particularly to methods of restricting access to sensitive data in underlying databases.
2. Description of the Related Art
Databases are computerized information storage and retrieval systems. A relational database management system is a computer database management system (DBMS) that uses relational techniques for storing and retrieving data. The most prevalent type of database is the relational database, a tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways.
Regardless of the particular architecture, in a DBMS, a requesting entity (e.g., an application or the operating system) demands access to a specified database by issuing a database access request. Such requests may include, for instance, simple catalog lookup requests or transactions and combinations of transactions that operate to read, change and add specified records in the database. These requests are made using high-level query languages such as the Structured Query Language (SQL). Illustratively, SQL is used to make interactive queries for getting information from and updating a database such as International Business Machines' (IBM) DB2, Microsoft's SQL Server, and database products from Oracle, Sybase, and Computer Associates. The term “query” denominates a set of commands for retrieving data from a stored database. Queries take the form of a command language that lets programmers and programs select, insert, update, find out the location of data, and so forth.
One significant issue in the context of databases is security. Databases often contain confidential or otherwise sensitive data which requires some degree of security to be protected from inappropriate and unauthorized access. For example, medical records are considered highly personal and confidential. As such, access to medical records is typically restricted to selected users on the basis of suitable authorization and validation routines. More specifically, suitable validation routines can define which users have access to an underlying database(s) and corresponding authorization routines can define the data which can be accessed in the underlying database(s) by authorized users. However, even though data access to the underlying database(s) can be restricted by a two-fold security mechanism, a user who has access to data could still abuse the data by discriminating access to sensitive data for unauthorized disclosure, fraud, waste, or abuse. In other words, it is possible for users with limited authorization to perform enough consecutive queries to refine result sets to pinpoint particular sensitive information in the underlying database(s).
For instance, assume a medical data warehouse of a medical institution having sensitive data with respect to patients of the institution. Assume further that a given researcher has been validated and authorized to access all data within the medical data warehouse. The researcher executes an initial query against the medical data warehouse in order to retrieve data about a broad array of patients. After receipt of a corresponding initial result set, the researcher analyzes this result set and notices information about a VIP patient therein. The researcher may then revise the initial query so that other likely VIP patients come up within a single subsequent result set. For instance, the researcher revises the initial query by restricting the query on the basis of information which is supposed to be common to some or all VIPs in the medical institution. By way of example, the initial query is restricted with respect to a typical VIP's profession, such as actor, singer or professional football player. Revising the initial query may also include formulating a request for retrieval of information about related individuals, such as siblings, children and/or parents. Although the researcher may have perfectly valid reasons for revising the initial query to select VIP data, it may also be done for misuse.
The foregoing is merely one example of how users may exploit conventional databases. A variety of other subversive techniques may be used to bypass security mechanisms in place to protect data contained in databases.
Therefore, there is a need for improved security mechanisms for databases.